5 Enterprise Mobile Security Tips for Financial Firms

With all financial firms rolling out mobile apps for customers and internal employees, here are five security requirements every firms must follow.

Financial firms are increasingly using the mobile environment for applications to serve their clientele better. Modern work platforms enable financial applications to be developed quickly for optimal collaboration and peak customer experience.

For example, CME Group, the world's leading derivatives marketplace, needed to automate workflows, improve end-to-end visibility, and enable continuous improvement. It applied a modern work platform to create applications, consolidating processes while leveraging mobile for improved access and shorter response times.

At a more local level, the Bank of Tennessee has created mobile applications to enable its loan officers to process mortgages wherever it's most convenient for its customers -- enabling this community bank to level the playing field with the big boys.

As useful as mobile-enabled applications can be for the financial services industry, adding mobility can pose serious concerns for enterprise IT, particularly in terms of security.

Financial industry leaders must ensure their mobile-enhanced applications comply with a variety of security requirements. The five most important requirements are:

Secure network communication

Secure local data storage

Protection against malware

Secure authentication

Remote disablement

Let's look in closer detail at each requirement and what you need to keep in mind.

Secure network communication
Make certain that all communication between client devices and servers is transmitted over HTTPS with SSL encryption. HTTPS/SSL is the industry standard for secure web communication between devices. Limiting connection to servers with trusted SSL certification ensures unauthorized users cannot gain access. Address any vulnerabilities to the Heartbleed bug; fortunately, the virus is limited to OpenSSL version 1.01 and the beta version 1.02.

Also, consider configuring mobile applications to work with a secure virtual private network (VPN) connection from the mobile device. This will allow clients to establish a secure connection to systems behind the enterprise firewall, and it ensures that your servers will not be directly accessible from the public Internet.

Secure authentication
Authentication from mobile devices must be handled on the server side to ensure that a central administrator maintains control of this aspect of security. Authentication architecture must be easily integrated with your corporate LDAP or SSO authentication servers.

Secure local data storage
It goes almost without saying that server location and user ID information on each mobile device must be encrypted. Documents downloaded to the mobile device must also be stored locally in an encrypted format.

Don't allow enterprise data to be stored on mobile devices; instead, make it deliverable on demand to the user via a secure network communication. By storing only the minimum amount of data required for local processing, using local encryption, and using secure network communication for all other data, you maximize enterprise data security.

Malicious applications steal information and infect devices, using common web attack techniques such as JavaScript injection (XSS) or SQL injection. These malicious apps concentrate on browser security holes as a primary means of attack.

Because mobile browsers are less mature than desktop browsers, staying with native mobile applications, rather than web interfaces, provides an immediate security layer for enterprise data.

Remote disablement
By some analysts' estimates, mobile device loss and theft can be as much as 50% higher than laptop computers. If a mobile device is lost or stolen, it is common practice to disable that device remotely to prevent information theft or unauthorized software access. Mobile device platforms provide varying levels of support for remote disablement. Evaluate each individually for its merits and issues.

Native mobile client application makes it easy to disable features remotely, including removal of the application or locking its access.

With the rapid adoption of mobile devices in business, financial services IT experts must make data security the cornerstone of their mobile device strategy. Network encryption, secure authentication, minimal data storage, and passcode locking ensure your enterprise data can be securely transmitted to your mobile users. Today's modern work platform offers solutions to mobile-enable your enterprise applications and processes while maintaining a high level of security and access control.

Evan McDonnell is Appian's Vice President of Industry Practices and is responsible for guiding the company to meet the needs of specific industries. Evan has an extensive background in enterprise and SaaS software. He was most recently Vice President of Marketing at CodeRyte, ... View Full Bio

I agree, these mobile security tips are extremely helpful for companies that are seeking to innovate and not fall behind. Bank of Tennessee is a good example of a small player that was able to leap forward by adopting mobile application so that its officers could process mortgages. Customers are demanding these applications and with bring your own device (BYOD) to work becoming mainstream, companies need to implement these security practices rather than avoid mobile delivery which would be a competitive disadvantage.

True, mobile offerings have evolved from nice-to-have to essential for today's businesses. The potential for security issues is troubling, but companies are better off taking the right security precautions instead of ignoring the mobile trend. This is a helpful list for those trying to build up their mobile security strategy.

Even the smaller players have to bite the bullet and take the leap into mobile and cloud or risk falling way, way, way behind on the tech innovation curve. Security, while important, can not be a roadblock. Their customers expect similar levels of service and capabilities, and they have a real opportunity to secure their market with cutting edge offerings.

Good point Kathy. Reminds of the way some firms have moved applications to the cloud even though they still have security concerns about doing so. For financial services institutionsa hacker getting into their network is such a huge threat. And all points connected to the network -- vendor partners and employee mobile devices -- have to be secured.

Evan, this is a useful checklist. It's interesting that just a few years ago, concerns about mobile security held back many banks and other FIs from moving aggressively into mobile offerings; some firms undoubtedly lost "first mover" advantage. Now it seems that banks for the most part have overcome the earlier concerns -- if nothing else,competitive concerns require that. Customers and employees want to interact on mobile platforms. However, that doesn't mean the security risks were overstated or have diminished.